What is Enterprise Security Architecture (ESA)?
- 1. What is Enterprise Security Architecture (ESA)? Introduction Enterprise Security Architecture (ESA) is a specialized type of Enterprise Architecture that focuses upon the entire scope of Security and the following Security Capabilities: • Threat Risk Analysis (TRA) / Privacy Impact Analysis (PIA) • Threat Modeling • Security Controls • Risk Assessment • Security (Technical) Debt • Security Governance ESA is used for Cybersecurity, Mobile Security, Cloud Security, IoT Security, Data Centre Security and Vendor Supplier Security (3rd Party). ESA is delivered using the international standards of: TOGAF, FAIR, Archimate, and COSMIC FFP; to manage the lifecycle of security (Strategy, Development, Implementation, Governance). ESA is also used to help organizations create their Security Department, and/or improve their Security Architecture and Risk Assessments. Finally, ESA can be used to implement individual Security Capabilities, thereby allowing organizations to focus upon those abilities that are most critical. Enterprise Security Architecture (ESA) This section provides a brief overview of each component of Enterprise Security Architecture (ESA): TRA/PIA, Threat Modeling, Security Controls, Risk Assessment and Security Debt. Please Note: the innovations developed by JVG Consulting to improve ESA are presented at the end of this topic. TRA/PIA Threat Risk Analysis and Privacy Impact Analysis are used to scope the potential Threats and Risks of all IT Assets (Apps, Data, Systems). It consists of a high-level model of the IT Assets under review and identifies where Vulnerabilities may exist within and across those IT Assets.
- 2. What is Enterprise Security Architecture (ESA)? The key focus is upon the Data Flows across all IT Assets and a determination of the Asset Risk, Data Risk and Privacy Impact for exposed Data. In most cases, the TRA/PIA is performed at the conceptual level and is used for scoping purposes. When stakeholders and projects need more details, they will progress to Threat Modeling. In some cases, Threat Modeling is undertaken in lieu of TRA/PIA. Threat Modeling Threat Modeling is the next step in Enterprise Security Architecture, after a TRA/PIA has been completed. It is performed at the logical and physical levels and is used to identify potential Threats to IT Assets and Data. There are a number of approaches to Threat Modeling that hold sway in the marketplace today: • Data Flow Diagrams (DFD) • Process Flow Diagrams (PFD) • Threat Centric • Risk Centric The most common approach to Threat Modeling is the use of Data Flow Diagrams, which focus upon the flow of corporate Data across IT Assets. Microsoft’s Threat Modeling Tool uses this approach. Process Flow Diagrams, used by commercial tools like ThreatModeler, focus upon the processes that operate across IT Assets. Further, a repository of common Process Flows are available for use when you perform Threat Modeling of your project or application portfolio. Both DFD’s and PFD’s have their proponents, and are typically used to analyze/design Applications. A Threat Centric approach to Threat Modeling focuses upon potential Threats to IT Assets and Data, and is used to document Vulnerabilities. A Risk Centric approach to Threat Modeling focuses upon those IT Assets and Data that have the greatest Risk if they are compromised, which in turn is used to determine the scope of the Threat Modeling. The biggest criticism of typical Threat Modeling, is that it is focused upon Applications and not the entire Technology Stack. Hence, potential threats at the infrastructure and platform layers are often overlooked, thereby creating opportunities for attack. Finally, the use of Attack Trees and Kill Chains can be used during Threat Modeling. However, their use tends to occur after a Breach.
- 3. What is Enterprise Security Architecture (ESA)? Security Controls When most people think of security, they tend to think of specific security controls, such as Anti-Virus software. Security Controls exist at all layers of the Technology Stack (Infrastructure, Platform, and Application) and Environments (Cloud, ASP, Mobile, Hybrid, Public, Private and On-Premise). There will typically be three (3) major categories for Security Controls: • Intrusion Detection System (IDS) • Intrusion Prevention System (IPS) • Security Incident and Event Management (SIEM) Each layer of the Technology Stack and the IT Assets and Data contained within each layer, will have its own Intrusion Detection System (IDS). As the name implies, an IDS monitors the IT Asset (network, server, database, application, web portal, mobile device, etc.) for suspicious activity, which is flagged if it occurs. An example would be Anti-Virus software that monitors your system and identifies a Virus. An Intrusion Prevention System (IPS), which also operates across the entire Technology Stack, will automatically take action to stop an attack, or suspicious activity. An example would be Anti-Virus software the removes a Virus that is found on your system. All organizations, even small businesses, should have a Security Incident and Event Management (SIEM) system, or tool. The SIEM tool monitors the logs of all IT Assets and Data throughout the entire Technology Stack and will create an Alert, when suspicious activity or an attack is found. Newer SIEM Tools will monitor in real-time, rather than just reading the logs of all IT Assets and Data. The SIEM Tool is the central console that manages the security for an organization and is used for Incident Response and Event Management. An example of a SIEM Tool is Splunk, or OSSEC. Risk Assessment The Open Group’s Factor Analysis of Information Risk (FAIR) defines risk as the probable frequency and magnitude of future loss. Risk is derived from the combination of Threat Event Frequency, Vulnerability, Asset Value and Liability characteristics. To be successful at Risk Assessement, a full Taxonomy of all IT Assets, Data and Security Controls is required so that an accurate evaluation can be performed. A missing, or incomplete, Taxonomy is known as Security (Technical) Debt, and will result in higher costs to perform a Risk Assessment.
- 4. What is Enterprise Security Architecture (ESA)? Most organizations place the emphasis upon Security Controls for their IT Assets and Data when performing a Risk Assessment. However, what happens when a Security Control is breached and Customer Information is stolen? Focusing upon Security Controls provides an incomplete Risk Assessment. A proper Risk Assessment, leverages a Taxonomy of IT Assets, Data and Security Controls, and then evaluates the Economic Loss Magnitude and the Loss Event Frequency to determine Risk. The Economic Loss Magnitude is the Value of the IT Asset affected, and/or the Liability it introduces to an organization. The Loss Event Frequency is the probability of occurance within a specific time-frame. There are also several sub-components of this Risk Factor, that are used to determine the probability of occurance. Security (Technical) Debt Technical Debt is the Cost of missing, incomplete or inaccurate documentation, design, code / configuration and rework of code / configuration for the entire Technology Stack of an organization. Security Debt is the Technical Debt of Security and relates to Security Controls, Threat Models, Assets, Data and Risk (as described above). Security Debt occurs at the project, program, portfolio, operations and organization levels. However, the Cost of Security Debt is compounded by the Economic Loss Magnitude for the Assets and Data that are breached, or have a high probability of being breached. One can approach resolving Security Debt by taking a Risk-based Approach: focus upon those IT Assets and Data that are most critical to the organization and build a Security Taxonomy for those Resources. To further accelerate the recovery from Security Debt, use a consistent, simple method for documenting all elements of the Security Taxonomy (Assets, Data, Controls, and Threat Models).
- 5. What is Enterprise Security Architecture (ESA)? Innovations by JVG Consulting Organizations that undertake Enterprise Security Architecture, as defined in the abovemention article, will find the cost to be prohibitive. Consequently, these organizations will create more Security Debt and Risk for themselves. At JVG Consulting, we have taken the international standards used for Enterprise Security Architecture (ESA) and have applied Lean Principles, Techniques and Tools to reduce the cost and increase the speed of delivery for Enterprise Security Architecture (ESA). Consequently, our re-factored and lean approach implements Enterprise Security Architecture (ESA) using the following components: • Threat Use Case Modeling© – TRA/PIA and Threat Modeling • Threat Costing© – Asset Valuation and Economic Loss Magnitude • Threat Debt© – Risk-Based Recovery of Security Debt • Threat Risk© - Risk Assessment of Projects, Programs and Portfolios • Threat Control© - Security Controls for IT Assets and Data • Continuous Security© - pluggable Security Capability: Standalone or part of DevOps